Blast from the Past: Blackhole Exploit Kit Resurfaces in Live Attacks

Update (11/19/15): The hosting provider, AdvancedHosters, replied to our complaint. They have servers in the US and also around the world but are based in The Netherlands.

“According to our investigation, the customer has not been involved in hacking/running malicious scripts/malware distribution activity. If you require further information, or have any questions, please do not hesitate to contact us. Regards,” AdvancedHosters Customer Support

No comments, the evidence speaks for itself.

This case is very strange to say the least and it is possible that there is an ulterior hidden motive behind it which we are still investigating.

– –

The year is 2015 and a threat actor is using the defunct Blackhole exploit kit in active drive-by download campaigns via compromised websites.

We noticed Java and PDF exploits collected by our honeypot which we haven’t seen in ages. Looking closer at the structure of this attack, we were surprised when we realized this was the infamous Blackhole.

Blackhole’s author, Paunch, was arrested in October 2013 and while criminals kept using the kit for the next few months, the exploits slowly deprecated and lost value because of lack of development.

The new drive-by download attacks we caught over the weekend rely on the same structure as the original Blackhole, even reusing the old PDF and Java exploits. The only difference is the malware payload being dropped, which is current and had very low detection on VirusTotal.

The server used to host the exploit infrastructure happens to be fully browsable (thanks @MeJz024 for the tip). The folder structure shows with no doubt this is taken straight from the Blackhole source code that had been leaked.

Although the exploits are old, there are probably still vulnerable computers out there who could get compromised. We also noticed that the author behind this Blackhole edition was working on new landing pages, so it is possible there might be additional changes in the future.

January 9, 2018 - We take a look at a prolific campaign that is focused on the distribution of coin miners via drive-by download attacks. We started to notice larger-than-usual payloads from the RIG exploit kit around November 2017, a trend that has continued more recently via a campaign dubbed Ngay.